Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificates missing for new users after upgrading to 2.4.3-RELEASE-p1

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rostrander
      last edited by

      We recently upgraded to 2.4.3-RELEASE-p1 .
      When I add a new user and select create certificate, the resulting certificate is zero bytes and there is no key. Openvpn Client Export configuration reports server.crt missing. Any help would be appreciated.

      R 1 Reply Last reply Reply Quote 0
      • R
        rostrander
        last edited by

        I get the below error when I try to add an internal certificate, seems like a related symptom:
        The following input errors were detected:

        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
        openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line

        1 Reply Last reply Reply Quote 0
        • R
          rostrander @rostrander
          last edited by

          Seems to be the same issue here as well https://forum.netgate.com/topic/129341/error-creating-new-internal-certificate

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            What version did you upgrade from?

            There could be a problem with your original CA. It's also possible there is a problem with your installation in general.

            We have seen before where users that have customized some portions of pfSense incorrectly (e.g. just changing product_name to something other than pfSense without making other necessary changes). It could end up without a proper openssl configuration in this case which may lead to the errors you see.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              rostrander
              last edited by

              Thanks for the response. It was upgraded from the latest 2.3 release. We didn't customize pfsense, we purchased the commercial appliances from pfsense, now netgate. The product name changed from pfsense to netgate at least from the webui perspective.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The actual global declaration for $g['product_name'] is still pfSense even on Netgate devices, so it wouldn't be that.

                Anything special about the way this system was installed? Did it use a custom disk layout or was it just a plain/stock install using the typical defaults? Or is it still running the original factory install, but updated?

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                R 1 Reply Last reply Reply Quote 0
                • R
                  rostrander @jimp
                  last edited by

                  @jimp
                  It should be the original factory install with upgrade. That said, we DID have an issue running the upgrade with the primary set as a standby in a HA pair. A different issue I'd been meaning to look at. We were finally able to get it to upgrade by disabling CARP on the secondary system and upgrading while the primary was active...

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    OK. Next step is to check the OpenSSL config file. Try the following commands and compare the output.

                    : ls -l /usr/local/share/pfSense/ssl/openssl.cnf
                    -rw-r--r--  1 root  wheel  12017 May 29 13:09 /usr/local/share/pfSense/ssl/openssl.cnf
                    : ls -l /etc/ssl/openssl.cnf
                    -rw-r--r--  1 root  wheel  12017 Jul 23 10:22 /etc/ssl/openssl.cnf
                    : ls -l /usr/local/openssl/openssl.cnf 
                    lrwxr-xr-x  1 root  wheel  20 Jul 23 10:22 /usr/local/openssl/openssl.cnf -> /etc/ssl/openssl.cnf
                    

                    Note that the copy under /usr/local/share/pfSense should be identical in size and content to the one in /etc/ssl/:

                    : sha256 /usr/local/share/pfSense/ssl/openssl.cnf
                    SHA256 (/usr/local/share/pfSense/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2
                    : sha256 /etc/ssl/openssl.cnf
                    SHA256 (/etc/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2
                    

                    The above commands are from a 2.4.4 snapshot so the exact hash may be different on yours. It's OK so long as they match and are not zero bytes.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      rostrander @jimp
                      last edited by

                      @jimp
                      They seem to be different:

                      [2.4.3-RELEASE][ro@]/root: ls -l /usr/local/share/pfSense/ssl/openssl.cnf
                      -rw-r--r--  1 root  wheel  12017 May  9 10:43 /usr/local/share/pfSense/ssl/openssl.cnf
                      [2.4.3-RELEASE][ro@]/root: ls -l /etc/ssl/openssl.cnf
                      -rw-r--r--  1 root  wheel  10847 May 10 20:08 /etc/ssl/openssl.cnf
                      [2.4.3-RELEASE][ro@]/root: ls -l /usr/local/openssl/openssl.cnf
                      lrwxr-xr-x  1 root  wheel  28 May  3  2017 /usr/local/openssl/openssl.cnf -> ../../../etc/ssl/openssl.cnf
                      [2.4.3-RELEASE][ro@]/root: cd /usr/local/openssl/
                      [2.4.3-RELEASE][ro@]/usr/local/openssl: ls -l ../../../etc/ssl/openssl.cnf
                      -rw-r--r--  1 root  wheel  10847 May 10 20:08 ../../../etc/ssl/openssl.cnf
                      
                      R 1 Reply Last reply Reply Quote 0
                      • R
                        rostrander @rostrander
                        last edited by rostrander

                        [2.4.3-RELEASE][ro]/usr/local/openssl: diff /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf
                        12,15d11
                        < # pfSense: default SAN value if $ENV::SAN is not defined
                        < #
                        < SAN			=
                        <
                        23c19
                        < # extensions		=
                        ---
                        > # extensions		=
                        36,38c32,34
                        < # tsa_policy1 = 1.2.3.4.1
                        < # tsa_policy2 = 1.2.3.4.5.6
                        < # tsa_policy3 = 1.2.3.4.5.7
                        ---
                        > tsa_policy1 = 1.2.3.4.1
                        > tsa_policy2 = 1.2.3.4.5.6
                        > tsa_policy3 = 1.2.3.4.5.7
                        57c53
                        < #crlnumber	= $dir/crlnumber	# the current crl number
                        ---
                        > crlnumber	= $dir/crlnumber	# the current crl number
                        76c72
                        < crl_extensions	= crl_ext
                        ---
                        > # crl_extensions	= crl_ext
                        111d106
                        < prompt			= no
                        122c117
                        < # This sets a mask for permitted string types. There are several options.
                        ---
                        > # This sets a mask for permitted string types. There are several options.
                        129c124
                        < string_mask = nombstr
                        ---
                        > string_mask = utf8only
                        131c126
                        < req_extensions = v3_req # The extensions to add to a certificate request
                        ---
                        > # req_extensions = v3_req # The extensions to add to a certificate request
                        134,137c129,132
                        < countryName			= US
                        < #countryName_default		= AU
                        < #countryName_min			= 2
                        < #countryName_max			= 2
                        ---
                        > countryName			= Country Name (2 letter code)
                        > countryName_default		= AU
                        > countryName_min			= 2
                        > countryName_max			= 2
                        139,140c134,135
                        < stateOrProvinceName		= Some-State
                        < #stateOrProvinceName_default	= Some-State
                        ---
                        > stateOrProvinceName		= State or Province Name (full name)
                        > stateOrProvinceName_default	= Some-State
                        142c137
                        < localityName			= Somecity
                        ---
                        > localityName			= Locality Name (eg, city)
                        144,145c139,140
                        < 0.organizationName		= CompanyName
                        < #0.organizationName_default	= Internet Widgits Pty Ltd
                        ---
                        > 0.organizationName		= Organization Name (eg, company)
                        > 0.organizationName_default	= Internet Widgits Pty Ltd
                        155c150
                        < #commonName_max			= 64
                        ---
                        > commonName_max			= 64
                        158c153
                        < #emailAddress_max		= 64
                        ---
                        > emailAddress_max		= 64
                        164,165c159,160
                        < #challengePassword_min		= 4
                        < #challengePassword_max		= 20
                        ---
                        > challengePassword_min		= 4
                        > challengePassword_max		= 20
                        171,250c166,216
                        < basicConstraints		= CA:FALSE
                        < keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated User Certificate"
                        < subjectKeyIdentifier		= hash
                        < authorityKeyIdentifier		= keyid,issuer:always
                        < extendedKeyUsage		= clientAuth
                        <
                        < [ usr_cert_san ]
                        <
                        < # copy of [ usr_cert ] plus nonempty Subject Alternative Names
                        < basicConstraints		= CA:FALSE
                        < keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated User Certificate"
                        < subjectKeyIdentifier		= hash
                        < authorityKeyIdentifier		= keyid,issuer:always
                        < extendedKeyUsage		= clientAuth
                        < subjectAltName			= $ENV::SAN
                        <
                        < [ server ]
                        <
                        < # Make a cert with nsCertType=server
                        < basicConstraints		= CA:FALSE
                        < nsCertType			= server
                        < keyUsage			= digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated Server Certificate"
                        < subjectKeyIdentifier		= hash
                        < authorityKeyIdentifier		= keyid,issuer:always
                        < extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
                        <
                        < [ server_san ]
                        <
                        < # copy of [ server ] plus nonempty Subject Alternative Names
                        < basicConstraints		= CA:FALSE
                        < nsCertType			= server
                        < keyUsage			= digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated Server Certificate"
                        < subjectKeyIdentifier		= hash
                        < authorityKeyIdentifier		= keyid,issuer:always
                        < extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
                        < subjectAltName			= $ENV::SAN
                        <
                        < [ req_usr_cert ]
                        <
                        < # Copy of [ usr_cert ] for CSR
                        < basicConstraints		= CA:FALSE
                        < keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated User Certificate"
                        < subjectKeyIdentifier		= hash
                        < extendedKeyUsage		= clientAuth
                        <
                        < [ req_usr_cert_san ]
                        <
                        < # Copy of [ usr_cert_san ] for CSR
                        < basicConstraints		= CA:FALSE
                        < keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated User Certificate"
                        < subjectKeyIdentifier		= hash
                        < extendedKeyUsage		= clientAuth
                        < subjectAltName			= $ENV::SAN
                        <
                        < [ req_server ]
                        <
                        < # Copy of [ server ] for CSR
                        < basicConstraints		= CA:FALSE
                        < nsCertType			= server
                        < keyUsage			= digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated Server Certificate"
                        < subjectKeyIdentifier		= hash
                        < extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
                        <
                        < [ req_server_san ]
                        <
                        < # Copy of [ server_san ] for CSR
                        < basicConstraints		= CA:FALSE
                        < nsCertType			= server
                        < keyUsage			= digitalSignature, keyEncipherment
                        < nsComment			= "OpenSSL Generated Server Certificate"
                        < subjectKeyIdentifier		= hash
                        < extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
                        < subjectAltName			= $ENV::SAN
                        ---
                        > # These extensions are added when 'ca' signs a request.
                        >
                        > # This goes against PKIX guidelines but some CAs do it and some software
                        > # requires this to avoid interpreting an end user certificate as a CA.
                        >
                        > basicConstraints=CA:FALSE
                        >
                        > # Here are some examples of the usage of nsCertType. If it is omitted
                        > # the certificate can be used for anything *except* object signing.
                        >
                        > # This is OK for an SSL server.
                        > # nsCertType			= server
                        >
                        > # For an object signing certificate this would be used.
                        > # nsCertType = objsign
                        >
                        > # For normal client use this is typical
                        > # nsCertType = client, email
                        >
                        > # and for everything including object signing:
                        > # nsCertType = client, email, objsign
                        >
                        > # This is typical in keyUsage for a client certificate.
                        > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
                        >
                        > # This will be displayed in Netscape's comment listbox.
                        > nsComment			= "OpenSSL Generated Certificate"
                        >
                        > # PKIX recommendations harmless if included in all certificates.
                        > subjectKeyIdentifier=hash
                        > authorityKeyIdentifier=keyid,issuer
                        >
                        > # This stuff is for subjectAltName and issuerAltname.
                        > # Import the email address.
                        > # subjectAltName=email:copy
                        > # An alternative to produce certificates that aren't
                        > # deprecated according to PKIX.
                        > # subjectAltName=email:move
                        >
                        > # Copy subject details
                        > # issuerAltName=issuer:copy
                        >
                        > #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
                        > #nsBaseUrl
                        > #nsRevocationUrl
                        > #nsRenewalUrl
                        > #nsCaPolicyUrl
                        > #nsSslServerName
                        >
                        > # This is required for TSA certificates.
                        > # extendedKeyUsage = critical,timeStamping
                        259d224
                        <
                        261a227
                        >
                        269c235
                        < authorityKeyIdentifier=keyid:always,issuer:always
                        ---
                        > authorityKeyIdentifier=keyid:always,issuer
                        280c246
                        < keyUsage = cRLSign, keyCertSign
                        ---
                        > # keyUsage = cRLSign, keyCertSign
                        296,303d261
                        < [ v3_ca_san ]
                        <
                        < # copy of [ v3_ca ] plus nonempty Subject Alternative Names
                        < subjectKeyIdentifier=hash
                        < authorityKeyIdentifier=keyid:always,issuer:always
                        < basicConstraints=CA:true
                        < subjectAltName=$ENV::SAN
                        <
                        310c268
                        < authorityKeyIdentifier=keyid:always,issuer:always
                        ---
                        > authorityKeyIdentifier=keyid:always
                        
                        1 Reply Last reply Reply Quote 0
                        • R
                          rostrander
                          last edited by rostrander

                          Seem to have fixed it by copying it over:
                          cp /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf
                          THANK YOU

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Well, that solves why it wasn't generating the certificates, but not why that copy didn't happen when it should. That should be done at every boot automatically, and for some reason it didn't happen for you. It should be OK between reboots, but you may want to confirm that for certain. Upgrades may also be questionable there, but that harder to confirm since we haven't changed that file in a while.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • R
                              rostrander
                              last edited by

                              Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.